3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2025-01-05 12:52:37 +01:00

eapol: Silently discard invalid EAPoL frames

Do not fail an ongoing handshake when an invalid EAPoL frame is
received.  Instead, follow the intent of 802.11-2020 section 12.7.2:
"EAPOL-Key frames containing invalid field values shall be silently
discarded."

This prevents a denial-of-service attack where receipt of an invalid,
unencrypted EAPoL 1/4 frame generated by an adversary results in iwd
terminating an ongoing connection.

Reported-by: Domien Schepers <schepers.d@northeastern.edu>
This commit is contained in:
Denis Kenzior 2022-05-09 16:21:49 -05:00
parent 1409364371
commit 1ef97e5cbc

View File

@ -1152,7 +1152,7 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
l_debug("ifindex=%u", sm->handshake->ifindex); l_debug("ifindex=%u", sm->handshake->ifindex);
if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len)) if (!eapol_verify_ptk_1_of_4(ek, sm->mic_len))
goto error_unspecified; return;
pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len), pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len),
EAPOL_KEY_DATA_LEN(ek, sm->mic_len)); EAPOL_KEY_DATA_LEN(ek, sm->mic_len));
@ -1676,10 +1676,8 @@ static void eapol_handle_ptk_3_of_4(struct eapol_sm *sm,
l_debug("ifindex=%u", hs->ifindex); l_debug("ifindex=%u", hs->ifindex);
if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len)) { if (!eapol_verify_ptk_3_of_4(ek, hs->wpa_ie, sm->mic_len))
handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED);
return; return;
}
/* /*
* 802.11-2016, Section 12.7.6.4: * 802.11-2016, Section 12.7.6.4:
@ -2086,10 +2084,8 @@ static void eapol_handle_gtk_1_of_2(struct eapol_sm *sm,
l_debug("ifindex=%u", hs->ifindex); l_debug("ifindex=%u", hs->ifindex);
if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len)) { if (!eapol_verify_gtk_1_of_2(ek, hs->wpa_ie, sm->mic_len))
handshake_failed(sm, MMPDU_REASON_CODE_UNSPECIFIED);
return; return;
}
oci = handshake_util_find_kde(HANDSHAKE_KDE_OCI, decrypted_key_data, oci = handshake_util_find_kde(HANDSHAKE_KDE_OCI, decrypted_key_data,
decrypted_key_data_size, &oci_len); decrypted_key_data_size, &oci_len);